1. Field of the Invention
This invention relates to arrangements for authenticating service request messages (SRMs). More specifically, the invention relates to arrangements for using minimal computational overhead in authenticating SRMs in secure networks.
2. Background Art
A multi-service application-aware network, such as a web service network, a service oriented architecture, or a Distributed XML Transformation System (DXTS), must support highly flexible authentication and delegation of access privileges, as data must typically flow through many processing nodes owned by diverse parties. Moreover, each node may provide multiple processing services, possibly owned by multiple non-cooperating stakeholders.
Further, the full execution of a task may involve multi-stage processing. For example, multi-stage processing may involve submitting a first request to a first processing node and then having the results of that request forwarded to a second processing node for further processing. At each stage of this “pipeline”, requests must be authenticated so that resources cannot be stolen or purposely wasted (as in a denial of service (DoS) attack).
Traditional Internet credentials involve a digital signature based on public key cryptography approaches that are computation intensive. Because every request requires a complex calculation just in order to reject it, computation-intensive approaches permit denial of service (DoS) attacks to be successful. Thus, there is a need for an authentication approach that is much less computation-intensive, to minimize the effectiveness of denial of services attacks.
Another conventional authentication method involves a user authentication scheme native to the host on which the application runs. One example involves username/password pairs. The disadvantage of this conventional scheme is that all clients who wish to access a service using a single username/password combination must all know the same password, making it impossible to reliably distinguish which client made which request.
Moreover, this conventional approach gives access to all applications installed on the machine and available to the username. This approach thus does not allow control over which applications are accessible to which clients, and does not permit tracking usage of specific applications by specific clients. Further, logging credentials are not typically limited as to the number of application invocations they allow, nor the times at which the client is allowed to invoke particular applications.
Accordingly, there is a need for a finer grained authentication system that provides reliable client-to-application control and tracking.
Moreover, it desirable that an authentication system be flexible in its ability to allocate, delegate or revoke credentials.
Further, there is a need for flexible scheme that allows early rejection of unauthorized requests with small computational effort, and yet also allows flexible allocation, delegation, and revocation of credentials.